Behavior analytics tools for cybersecurity move into enterprises

Behavior analytics is one of the more recent buzzwords in enterprise cybersecurity, with more than 35 vendors competing for customers, according to security analysts.

Behavior analytics in cybersecurity is roughly defined as using software tools to detect patterns of data transmissions in a network that are out of the norm. The theory is that the analytics tool would detect the anomaly and alert IT managers, who would stop the unusual behavior or cyberattack.

Enterprises use behavior analytics to detect intrusions that evade preventive technologies such as firewalls, intrusion-prevention systems and antivirus software. Those conventional tools match fingerprints or signatures identified in prior attacks, while behavior analytics tools study and report anomalies that are judged against a baseline of normal behavior. Among the users of behavior analytics is the National Security Agency, which uses the analytics to detect threats to its private cloud system.

The market for behavior analytics tools gained steam in 2015, but is still "immature," according to a report from 451 Research analyst Eric Ogren. Sometimes it's hard to prove how effective the concept is in bolstering security, he noted, and called for more focused proof of concept case studies to demonstrate the value of the tools.

While some are skeptical of the value of behavorial analytics, one company has seen real value. Parchment, a digital credential management service used by thousands of schools, universities and other businesses, deployed an unusual behavior analytics tool in August. Called Enterprise Immune System from vendor Darktrace, the tool relies on machine learning to detect emerging threats inside its network, said Bob Langan, Parchment's vice president of engineering.

"We wanted to enhance our perimeter and complement what the firewalls were doing," Langan said in describing why Parchment chose Darktrace. Part of the problem with other security approaches was that it's difficult to stay 100% current on the latest virus or other attack, he said in an interview.

Within the Darktrace tool is a visualizer console that allows network technicians to drill down into individual desktops or mobile devices to watch the data packets moving in and out in real time, Langan said "Nothing out there does what this does, especially for how it adapts and lets us detect something new," he added.

"I can replay a security event, narrow it down, watch the points of contention and assess the root cause and take steps to correct it, so that's a lot of benefit and time saved," Langan said.

While it might seem that the Darktrace tool would increase the workload for IT staffers, it has actually reduced the number of security logs they must assess.

"There's almost no event log surfing for my guys. They just drill down and find out what's happening without surfing millions of logs,"Langan said. "Traditional methods and tools, I think, pale in comparison to what Darktrace is doing. It updates every minute of every day, and I no longer worry about getting hit when I am sleeping and not knowing the source. It's not just learning about threats in our company, it goes globally."

Parchment is privately held and Langan wouldn't discuss how much his company paid for the Darktrace hardware and software.

Darktrace said a majority of its customers subscribe to the tool with a monthly fee that includes software, hardware and threat intelligence reports prepared by Darktrace threat analysts. Detailed pricing wasn't available, but Darktrace said the price is based on the number of devices connected to the network, the amount of traffic and the network configuration.

Ogren, the analyst at 451 Research, said the Darktrace Enterprise Immune System consists of network appliances that use 300 different measurements of user, device and network activity to detect attacks. Darktrace uses a mathematical model to group views of a network for analysis, allowing a company to distinguish acceptable new business practices from suspicious activity. Darktrace also makes an industrial version of the product.

Of the 35-plus companies involved in behavior analytics, Ogren said the largest ones are RSA, LogRhythm, Rapid7
and Splunk . Players that focus on network flow data to develop models of behavior include Niara and Vectra Networks, Ogren said.

Copyright 2017 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.